[Oisf-devel] <Error> (ReceivePfring) -- [ERRCODE: SC_ERR_PF_RING_RECV(31)] - pfring_recv error -1
Chris Wakelin
c.d.wakelin at reading.ac.uk
Thu Aug 4 16:49:46 UTC 2011
On 04/08/11 17:36, Peter Manev wrote:
> Hi,
> Can you please try the following:
> 1. Increase the MTU to 1522
Yes, trying that now with native PF_RING, but doesn't seem to make any
difference.
> 2. Can you try to point suricata to listen to the VLAN interface directly
> for example: suricata -c /etc/suricata/yaml -i eth0.15
Only inbound packets are VLAN-tagged, e.g. ARGUS ratop shows
> StartTime Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State sVlan dVlan
> 17:38:42.013921 M s tcp xxx.xxx.216.22.22 <?> 134.225.yyy.yyy.60262 187072 234694540 E 0x0fa1
> 17:38:43.533109 M s tcp xxx.xxx.216.23.22 <?> 134.225.yyy.yyy.58316 86514 112270100 E 0x0fa1
> 17:38:42.749149 M * tcp 134.225.uuu.uuu.36552 -> vvv.vvv.134.84.80 82389 84852685 sSE 0x0fa1
I think if I tried -i eth1.64001 I'd miss half the traffic?
> 3. is there any difference?
> 4. A pcap would be helpful to further explore the issue (should you
> consider).
Most of the packets aren't flagging errors, so it's a bit of a needle in
a haystack. I have a couple that I sent to Will that gave AppLayerParse
errors in "http" when using native PF_RING but not PF_RING-enabled
libpcap. Increasing MTU from the default (1514 presumably) to 1515 fixed
them :)
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-devel
mailing list